01 | SSL-VPN Loopback interface

Als je je SSL-VPN interface veranderd naar een Loopback interface dan kan je L7 firewalling toepassen middels reguliere firewall policies in plaats van enkel L3 en L4 middels local-in policies.

Stap 1 - Loopback interface aanmaken

config system interface
    edit "SSL-VPN-LO"
        set vdom "root"
        set ip 172.25.100.1 255.255.255.255
        set allowaccess ftm
        set type loopback
        set role dmz
    next
end

Stap 2 - DNAT aanmaken middels VIP

config firewall vip
    edit "SSL-VPN-LO-IP4"
        set extip <external IP> ## Check with myip.nl for example
        set mappedip "172.25.100.1"
        set extintf "any"
        set portforward enable
        set extport 8443 ## Change to a different port if SSL-VPN is running on a different port
        set mappedport 8443 ## Change to a different port if SSL-VPN is running on a different port
    next

Stap 3 - Policy aanmaken

config firewall policy
    edit 0
        set name "INET to Loopback SSL-VPN"
        set srcintf "KPN-INET-VL6"
        set dstintf "SSL-VPN-LO"
        set action accept
        set srcaddr "all"
        set dstaddr "SSL-VPN-LO-IP4"
        set schedule "always"
        set service "T8443"
        set logtraffic all
    next
end

Stap 4 - SSL-VPN configuratie aanpassen met loopback interface

config vpn ssl settings
    set port 8443
    set source-interface "SSL-VPN-LO"
end